<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="天朝挖煤的题已经不会做了。。"/>




  <meta name="keywords" content="ctf, writeup, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/04/29/天朝挖煤的题已经不会做了。。/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> 天朝挖煤的题已经不会做了。。 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          天朝挖煤的题已经不会做了。。
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-04-29
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#phpcmsV9"><span class="toc-text">phpcmsV9</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#php变量覆盖漏洞"><span class="toc-text">php变量覆盖漏洞</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#正则？Misc"><span class="toc-text">正则？Misc?</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#近日"><span class="toc-text">近日</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>剩下的挖煤天朝的题暂时做不下去了。。。学长们又推荐了一个新平台，就去水了水。<a id="more"></a></p>
<h2 id="phpcmsV9"><a href="#phpcmsV9" class="headerlink" title="phpcmsV9"></a>phpcmsV9</h2><blockquote>
<p>首先，说第一道学长给了WP才知道是最新漏洞。。。。。。<br>百度之后发现，这个phpcms漏洞出现的频率真的。多啊<br>最近的这个漏洞是在注册页面，连登录都不用就可以getshell，而且据说已经流传了半年才爆出这个漏洞。。。orz.<br>大佬们真的可怕。先复现漏洞得flag,打开火狐的神器hackbar<br>赋值content字段传一句话木马</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWBrR.png" alt="phpcmsv9-1"><br><strong>成功截图</strong><br><img src="https://s1.ax1x.com/2018/01/01/pSW1rn.png" alt="phpcmsv9-2"></p>
<blockquote>
<p>然后拿出菜刀，getshell,flag在根目录</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSW3bq.png" alt="phpcmsv9-3"></p>
<blockquote>
<p>搜索来源的时候，也试着去理解其中的原理，根据表哥们的总结写一点<br>从下面的源代码我们能看出,从第一句我们能知道注册用户名是不能重复的，所以post一次如果出错，那么就需要修改用户名<br>其次，提交内容的后缀是受限定的，<span style="color: red;">gif|jpg|jpeg|bmp|png</span><br>最后content字段如果有图片，必须是网址形式，而且。。。用了一个远程图片copy到本地的函数</p>
</blockquote>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;fields[$field][<span class="string">'isunique'</span>]&amp;&amp;<span class="keyword">$this</span>-&gt;db-&gt;get_one(<span class="keyword">array</span>($field=&gt;$value),$field)&amp;&amp;ROUTE_A!= <span class="string">'edit'</span>)</span><br><span class="line">	showmessage(<span class="string">"$name 的值不得重复！"</span>);</span><br><span class="line">	</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">download</span><span class="params">($field, $value,$watermark=<span class="string">'0'</span>,$ext=<span class="string">'gif|jpg|jpeg|bmp|png'</span>,$absurl=<span class="string">''</span>,$basehref=<span class="string">''</span>)</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"><span class="title">if</span><span class="params">(!preg_match_all<span class="params">(<span class="string">"/(href|src)=([\"|']?)([^ \"'&gt;]+\.($ext))\\2/i"</span>, $string, $matches)</span>)</span></span></span><br><span class="line">	return $value;</span><br></pre></td></tr></table></figure>
<h2 id="php变量覆盖漏洞"><a href="#php变量覆盖漏洞" class="headerlink" title="php变量覆盖漏洞"></a>php变量覆盖漏洞</h2><p><img src="https://s1.ax1x.com/2018/01/01/pSWY5T.png" alt="phpbianliang-1"></p>
<blockquote>
<p>打开链接就是这段代码，牵涉到<span style="color: red;">file_get_contents函数和extract($_GET)</span><br>file_get_contents函数官方文档是下面的解释，很明显变量&amp;fn应该是个url或者文件<br>如果按照以前的做法，可以利用读取不到文件变量&amp;f为空来赋值，<strong>ac=&amp;fn=1</strong></p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWK2Q.png" alt="phpbianliang-3"><br>但是这道题有限制&amp;ac非空，所以经过搜搜搜后，我们可以利用php输入流<span style="color: red;">php://input函数</span><br>php://input可以读取未验证的post数据，正好可以构造这个payload，如下图<br><img src="https://s1.ax1x.com/2018/01/01/pSWlKs.png" alt="phpbianliang-2"></p>
<h2 id="正则？Misc"><a href="#正则？Misc" class="headerlink" title="正则？Misc?"></a>正则？Misc?</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line">	highlight_file(<span class="string">'2.php'</span>);</span><br><span class="line">	$key=<span class="string">'KEY&#123;********************************&#125;'</span>;</span><br><span class="line">	$IM= preg_match(<span class="string">"/key.*key.&#123;4,7&#125;key:\/.\/(.*key)[a-z][[:punct:]]/i"</span>, trim($_GET[<span class="string">"id"</span>]), $match);</span><br><span class="line">	<span class="keyword">if</span>( $IM )&#123; </span><br><span class="line">	<span class="keyword">die</span>(<span class="string">'key is: '</span>.$key);</span><br><span class="line">	&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>我记得挖煤天朝也有一道这样的题，似乎下架了。。。。<br>很明显是正则，我虽然现在还不会，但是我会暂时百度啊<a href="http://deerchao.net/tutorials/regex/regex.htm" target="_blank" rel="noopener">据说30分钟入门正则</a><br>传值id=keykeykeykeykeykeykey:/a/aakeya:]即可</p>
</blockquote>
<h2 id="近日"><a href="#近日" class="headerlink" title="近日"></a>近日</h2><p>23333333333333333333333.。。。。这两天空闲时间一直在搭建虚拟渗透环境，真的浪费大量时间啊，还搞的不是很利落。开发的任务还没做多少。。。。<br>就记录两个，得到的教训吧</p>
<blockquote>
<p>首先对于虚拟机，以前我一直没成功全屏，和实体机之间的复制粘贴文件，很是令人头疼和麻烦<br>以前航海的学长说了快捷键，但是仍然不能全屏啊，今天我才知道是没安装VMware Tools…….</p>
</blockquote>
<p>其次，如果想要windows2003和实体机进行通信，是需要将虚拟机得连接方式改为桥接，并且切换网卡，可以在虚拟网络编辑中编辑。</p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/writeup/">writeup</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/05/06/Wordpress安装及4.6漏洞问题/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">Wordpress安装及4.6漏洞问题</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/04/23/Python-str-decode-error/">
        <span class="next-text nav-default">Python str decode---error</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/04/29/天朝挖煤的题已经不会做了。。/';
        this.page.identifier = '2017/04/29/天朝挖煤的题已经不会做了。。/';
        this.page.title = '天朝挖煤的题已经不会做了。。';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
